Visa Inc. took Heartland Payment Systems Inc. and RBS WorldPay off its list of service providers that are compliant with the PCI Data Security Standard.
In a statement released Friday, Visa said it was removing the payment processors based on "compromise event findings." RBS WorldPay's disclosure on Dec. 23 that it was breached was followed by Heartland's Jan. 20 announcement that hackers broke into its systems.
"Heartland and RBS WorldPay are actively working on revalidation of PCI DSS compliance using a Qualified Security Assessor," Visa said. "Visa will consider relisting both organizations following their submissions of their PCI DSS reports on compliance."
In a prepared statement, Heartland said it was certified as PCI-DSS compliant in April 2008 and expects to continue to be assessed as PCI-DSS compliant in the future.
"We're undergoing our 2009 PCI-DSS assessment now, which Heartland believes will be complete no later than May 2009 and will result in Heartland, once again, being assessed as PCI-DSS compliant," the company said.
Princeton, N.J.-based Heartland said its systems were breached last year when intruders installed malware to pilfer data crossing the company's network. Since then, authorities in Tallahassee, Fla.arrested three suspects for using stolen credit card numbers to make purchases at local Wal-Mart stores. The credit card numbers used by the trio were allegedly stolen from the Heartland processing center in New Jersey.
RBS WorldPay, the U.S. payment processing arm of the Royal Bank of Scotland, said personal information of about 1.5 million pre-paid cardholders and other individuals was compromised when its computer system was hacked. The Social Security numbers of 1.1 million of those cardholders may also have been compromised, the company said.
The stolen data was used in a highly-coordinated ATM scaminvolving cloned payroll debit cards and reloadable gift cards
"It is heartening to see that the card brands are cracking down on those firms that suffer a breach," Roger Nebel, an independent PCI DSS auditor and director of strategic security at FTI Consulting, said. "Removing them from the Visa list of compliant service providers sends a message that you can't just buy your way out of a breach."
He noted that RBS WorldPay and Heartland have both publicly commented about the high level of sophistication of the attacks against them. Both companies are "somehow trying to hide behind the sophistication of the attacks," he said.
"While I've not seen or heard any hard and fast details about the specific nature of the attacks and tools used, I don't think I would be surprised by the methods used and that there were control breakdowns in several places," Nebel said. "The fact that Visa took them off the list is evidence that the PCI DSS compliance they both had submitted was not adequate."
Randall Gamby, an independent information security analyst based in New York, said Visa's delisting action was standard according to the PCI DSS and could impact business for Heartland and RBS WorldPay.
"The merchants they process for have to make a decision. Are they willing to take the risk that these organizations can secure their data until the QSA findings come out, or will they go another route to process their payments?" he said.
Gamby said that PCI compliance is a good step towards security but it doesn't ensure security. Still, "it definitely hurts you if you don't have that stamp," he added.
David Schneier, a compliance consultant, said the breaches at Heartland and RBS WorldPay have proven "is that the PCI standard is at best a good place to start but is not, by itself, the solution to the problem."
"PCI certification proves that there are controls in place consistent with the standard and that for the infrastructure elements included in the testing, those controls were applied properly," he said. "What it doesn't do well is address the remainder of the threat universe so there are many, many loopholes and vulnerabilities remaining."
By taking the payment processors off its list of certified providers, Visa is "offering a passive opinion of the PCI standard, which is that it doesn't amount to much in the end," Schneier said.
In its statement, Visa said the PCI DSS "remains and effective security tool when implemented properly – and remains the best defense for businesses against the loss of sensitive data."